Presentation S&P 2010 Clemens Kolbitsch

Int. Secure Systems LabVienna University of Technology

Inspector GadgetAutomated Extraction of Proprietary

Gadgets from Malware Binaries

Clemens KOLBITSCH Thorsten HOLZ

Engin KIRDA Christopher KRUEGEL

[email protected]

Int. Secure Systems LabVienna University of Technology, Institute Eurecom Sophia Antipolis, UC Santa Barbara

Inspector Gadget 2


Motivation

• Analysis of malicious code is challenging

Inspector Gadget 3


Motivation


• Looking at the inner workings of every samples has become infeasible– … due to various obfuscation techniques– … due to analysis resistance (e.g., anti-debugging

techniques)– … due to the huge number of malware families / variants

Inspector Gadget 4


Motivation


76 172 submissions

58 041 new samplesAnubis

Inspector Gadget 5


Motivation


• Looking at the inner workings of every samples has become infeasible– … due to various obfuscation techniques– … due to analysis resistance (e.g., anti-debugging

techniques)– … due to the huge number of malware families / variants

• Results of dynamic analys is cluttered by other behavior sample is capable of

Inspector Gadget 6


Motivation

• Results of dynamic analys is cluttered by other behavior sample is capable of

binaryupdate

binaryupdate

componentinstallation


C & Ccommunication

C & Ccommunication

spamtemplating

spamtemplating

targetselection

targetselection

C & Clocation

C & Clocation

220 mx.google.com250google250PIPELINING250SIZE 10240000250VRFY250STARTTLS


armzasn.netkevflnwroo.comdzqbpieiy.inforqkixea.bizkomug.netvhiax.org


Inspector Gadget 7


Motivation

• Results of dynamic analysis cluttered by other behavior sample is capable of

• Dynamic analysis is very resource consuming...

• … and only provides temporary snapshot– malicious behavior might dependent on

• analysis date & time• analysis environment (e.g., username, host OS, …)• availability of remote resources (e.g., C&C hosts)

– needs to be repeatedly performed on single sample• at different points in time• preferably on different systems• even more time/resource consuming

Inspector Gadget 8


Motivation – Inspector

Wouldn't it be cool if we were able to extract asingle behavior into a standalone component and

use this to re-invoke the behavior?

• Removes clutter from analysis results

• Independent of other malicious activity– can be executed without virtual environment

• Easy to replay in a different situation such as– point in time– operating system

Inspector Gadget 9


Motivating Example

• Conficker Domain Generation Algorithm (DGA)– decides which remote host to contact for C&C– domain depends on current time– current time is fetched from a remote host (e.g., msn)

Inspector Gadget 10


Motivating Example

• Conficker Domain Generation Algorithm (DGA)– decides which remote host to contact for C&C– domain depends on current time– current time is fetched from a remote host (e.g., msn)binary

update

binaryupdate



C & Ccommunication

C & Ccommunication

spamtemplating

spamtemplating

targetselection

targetselection

C & Clocation

C & Clocation







Inspector Gadget 11


Outline

• Motivation– dynamic analysis reveals limited, temporary behavior

• Behavior analysis & extraction– storing identified behavior into gadget

• Behavior re-invocation– gadget player– gadget inversion

• So... again, why...?– benefit recap

• Gadget examples

Inspector Gadget 12


Behavior Analysisand Extraction

Inspector Gadget 13


Extraction Overview

4 stepprocess

Inspector Gadget 14


Extraction Overview

Anubiscontrol flow &instructions

API taint dependencies

step 1:dynamicanalysis

memoryaccesses

Find interesting behavior thatis to be extracted.Example: Hm, to which domain

am I connecting here??

Find interesting behavior thatis to be extracted.Example: Hm, to which domain

am I connecting here??

Inspector Gadget 15


Extraction Overview

Anubis

step 2:behavior

identification

control flow &instructions

control flow. outcome: API call / flow position

control flow. outcome: API call / flow position

Map selected behavior to analyzedprocess & thread, API accesses and

Inspector Gadget 16


Extraction Overview

Anubis

step 2.1:identificationrefinement


Find and suggest data manipulatinginstructions after chosen API call.Possibly refine chosen position toinclude the data processing.

Find and suggest data manipulatinginstructions after chosen API call.Possibly refine chosen position toinclude the data processing.

Inspector Gadget 17



memoryaccesses

step 3:backwardprogramslicing



memoryaccesses

Extraction Overview

call func1 add %esp ... call func2 add %esp call func3


DnsQuery_WDnsQuery_W

call StartS pop %eax push “abc” call DnsQry


StartServiceStartService DnsQuery_WDnsQuery_W






Inspector Gadget 18



memoryaccesses

step 3:backwardprogramslicing



memoryaccesses

Extraction Overview



DnsQuery_WDnsQuery_W









connectconnect

recvrecv

WSAStartupWSAStartup

... call connect jmp L_1L_0: call recv ...L_1: test %eax je L_0

... call connect jmp L_1L_0: call recv ...L_1: test %eax je L_0

Inspector Gadget 19


Extraction Overview

step 4:gadget

creation

Inspector Gadget 20


Extraction Overview

step 4:gadget

creation

001E:1000001E:1004001E:1008001E:100C001E:1010001E:1014001E:1018001E:101C001E:1020001E:1024001E:1028001E:102C001E:1030001E:1034001E:1038001E:103C001E:1040001E:1044

call <001E:1018>add %espcall <001E:103C>

call connectcall recv...test %eaxje <001E:101C>...push “abc”call DnsQuery_W fu

nc3

func

2m

ain



call connectcall recv...test %eaxje <001E:101C>...push <0018:A704>call DnsQuery_W fu

nc3

func

2m

ain



call @hookconnectcall @hookrecv...test %eaxje <001E:101C>...push <0018:A704>call @hookDnsQuery_W fu

nc3

func

2m

ain

Inspector Gadget 21


Extraction Overview

step 4:gadgetcreation

step 4:gadgetcreation

Extract gadget (standalone Dll) thatcan be imported into any (binary)application offering environment hooks.

Extract gadget (standalone Dll) thatcan be imported into any (binary)application offering environment hooks.

Inspector Gadget 22


Gadget Replay

Inspector Gadget 23


Gadget Player

• As library, the gadget can be reused in many areas– statically linked into the application– dynamically loadable

• … but, application must confine gadget execution– handle crashes (e.g., possible, invalid memory accesses)– one possibility: code emulation– here: separate, monitored thread with signal handling

• … and mediate accesses to the host OS– gadgets are guaranteed to contain no calls to system or API

functionality directly– each access is done through environment hooks

Inspector Gadget 24


Gadget Player

• Host OS accesses mediation: environment hooks– every system / API call is redirected to the gadget player

(using a multiplexor function)– player has the possibility to sanitize and/or manipulate call

parameters– if player decides to allow

the API invocation, calland parameters areforwarded to the actualimplementation (e.g., in-side a Windows library)

Gadget playerGadget player

gadget thread environment interface

AdvAPI32

User32

Inspector Gadget 25


Gadget Inversion

• Player can use gadget as transformation oracle– input is transformed into output, depending on algorithm

implemented by gadget– example: sample reads local data, obfuscates, and transmits to

remote host

Inspector Gadget 26


Gadget Inversion



remote host

• In many scenarios, the inverse algorithm would be interesting, however– we capture obfuscated traffic and want the plain-text data that has

was transmitted

Inspector Gadget 27


Gadget Inversion



remote host

• In many scenarios, the inverse algorithm would be interesting, however– we capture obfuscated traffic and want the plain-text data that has

was transmitted

• In the paper, we present basic inversion capabilities:– detect (taint) dependencies between bytes in input and output– apply guided brute-force heuristics to invert algorithm contained in

the gadget

Inspector Gadget 28


So … again, why...?

Inspector Gadget 29


Gadget Benefits

• … so why not simply execute it in a VM (over and over again)?– sleep timeouts: can be eliminated during gadget extraction– fast & lightweight analysis:

• no virtual environment, snapshot restoring• we ran our analysis on Linux (under Wine)!

– precise, uncluttered behaviorobservation

– advanced monitoring: theplayer has access to thegadget's heap and stackregions!

– environment tampering: allrequests go through a singleinterface: tamper with date ortime, registry settings, hostOS, remote hosts contacted, ...

Gadget playerGadget playergadget thread environment interface

User32

Inspector Gadget 30


Gadget examples

Inspector Gadget 31


Conficker DGA

• Conficker generates (pseudo) random domain names upon startup

• Current time, fetched from remote site (e.g., msn.com), controls domain generation randomization seed

• Randomly selected domain name is used for contacting C&C host

• Gadget:

– start extraction (slicing) from invocation of DnsQuery_W

– extracts complete Domain Generation Algorithm (DGA)– see one domain on query invocation– find all domains on gadget heap

• Possible environment tampering:– manipulate remote site's reply to change DGA input (i.e., date for

which domains are generated)

Inspector Gadget 32


Conficker DGA

P. Porras et al. “A Foray into Conficker's Logic and Rendezvous Points

Inspector Gadget control flow “debug output”

Inspector Gadget 33


Cutwail Spam Templating

• Cutwail (mass-mailer) generates spam Emails from templates downloaded from remote C&C hosts

• Communication employs proprietary encryption algorithm

• Template is not stored on file system– content decrypted and handled solely in memory

• Gadget:– inspect download behavior– start extraction after download is complete– Inspector suggests to automatically refine extraction

starting-point to end-of-decryption– extract complete template download & decryption algorithm

Inspector Gadget 34



"{_FIRSTNAME} {_LASTNAME}" <{MAIL_FROM}> Hello my new friend, I search a good man at other country...\n For me it to communicate for the first time with the person from other country, by Internet.\nAnd it ... {nReceived} MessageID: <{DIGIT[10]}.{SYMBOL[8]} {DIGIT[6]} @{nHOST}> From: {TAGMAILFROM} To: <{MAIL_TO}> Subject: {SUBJECT} Date: {DATE} MIMEVersion: 1.0 ContentType: multipart/mixed; boundary="=_NextPart_000_0006_{_nOutlook_Boundary}" XPriority: 3 XMSMailPriority: Normal XMailer: Microsoft Outlook Express {_nOutlookExpress_4}

"{_FIRSTNAME} {_LASTNAME}" <{MAIL_FROM}> Hello my new friend, I search a good man at other country...\n For me it to communicate for the first time with the person from other country, by Internet.\nAnd it ... {nReceived} MessageID: <{DIGIT[10]}.{SYMBOL[8]} {DIGIT[6]} @{nHOST}> From: {TAGMAILFROM} To: <{MAIL_TO}> Subject: {SUBJECT} Date: {DATE} MIMEVersion: 1.0 ContentType: multipart/mixed; boundary="=_NextPart_000_0006_{_nOutlook_Boundary}" XPriority: 3 XMSMailPriority: Normal XMailer: Microsoft Outlook Express {_nOutlookExpress_4}

Inspector Gadget 35



configver 194 addr 91.206.231.230 port 25 knockdelay 60 mxrecvtimeout 120 mxconntimeout 120 maxtrybadfrom 1 maxtryconn 5

configver 194 addr 91.206.231.230 port 25 knockdelay 60 mxrecvtimeout 120 mxconntimeout 120 maxtrybadfrom 1 maxtryconn 5

FIRSTNAME Christi Lea Staci Jodie Summer Katharine ...

LASTNAME Schafer Stacy Grayson Ham Landers Mims Parham Pritchett ...

name Lusia R., Texas Lusia R., New York Lusia R., Chicago Lusia R., Colorado Lusia R., Boston Lusia R., Washington Lusia R., Las Vegas Lusia R., Bellevue WA Lusia R., San Diego Amelia B., Chicago ...

FIRSTNAME Christi Lea Staci Jodie Summer Katharine ...

LASTNAME Schafer Stacy Grayson Ham Landers Mims Parham Pritchett ...

name Lusia R., Texas Lusia R., New York Lusia R., Chicago Lusia R., Colorado Lusia R., Boston Lusia R., Washington Lusia R., Las Vegas Lusia R., Bellevue WA Lusia R., San Diego Amelia B., Chicago ...

nHOST{nChar[515]}.{nChar[515]} .{LET:ru,org,com,va,net,biz, info,tv,ua,su}

nReceivedReceived: from [{nIP}] (helo={nHOST}) {N[1]}by {BOT_HOST} ...

nHOST{nChar[515]}.{nChar[515]} .{LET:ru,org,com,va,net,biz, info,tv,ua,su}

nReceivedReceived: from [{nIP}] (helo={nHOST}) {N[1]}by {BOT_HOST} ...

Inspector Gadget 36


URLZone Config Update

• URLZone (BHO banking-trojan) sniffs and manipulates user interaction with banking web-site

• Steals credentials and hides previous (malicious) transactions from user

• Remote configuration through encrypted configuration files– domains to attack– URLs to inspect– form content to modify

• Gadget:– extract complete template download & decrypt algorithm– similar to Cutwail gadget

Inspector Gadget 37


URLZone Config Update

STATA ITINJHOST=|my.hypovereinsbank.de|End ITINJPAGE=|/*?view=/*|End ... ITINJSTART=|Aktueller Kontosaldo</label>[*] |End ITINJEND=||End ITINJCODE=||End ITINJPASTE=|%HYPOBAL%+%AMOUNT%%TRUEAMOUNT%|End ITINJPASTEMN=|%HYPOBAL%+%AMOUNT% %TRUEAMOUNT%EUR|End

STATA ITINJHOST=|my.hypovereinsbank.de|End ITINJPAGE=|/*?view=/*|End ... ITINJSTART=|Aktueller Kontosaldo</label>[*] |End ITINJEND=||End ITINJCODE=||End ITINJPASTE=|%HYPOBAL%+%AMOUNT%%TRUEAMOUNT%|End ITINJPASTEMN=|%HYPOBAL%+%AMOUNT% %TRUEAMOUNT%EUR|End

=======================POST======================= [ITBEGINBLOCKHOOK] ITHOST=|banking.postbank.de|End ITPAGE=|/app/login.d*|End ITMETHOD=|2|End ITIFINIT=|%DISP%|End ITREQMATH=|jsOn=*&accountNumber=*&pinNumber=*|End

=======================POST======================= [ITBEGINBLOCKHOOK] ITHOST=|banking.postbank.de|End ITPAGE=|/app/login.d*|End ITMETHOD=|2|End ITIFINIT=|%DISP%|End ITREQMATH=|jsOn=*&accountNumber=*&pinNumber=*|End

Inspector Gadget 38


Summary

• Dynamic analysis is resource consuming, results are cluttered and limited to temporary snapshots of malicious behavior

• Inspector allows to automatically extract behavior into standalone gadgets

• Gadgets can be reused in many scenarios and – enhance information extraction– simplify repeated analysis of behavior

• Evaluation shows that extraction is applicable to real world, malicious programs

Inspector Gadget 39


Thanks for listening!

Documents

Presentation S&P 2010 Clemens Kolbitsch